Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-WLAN Security Configuration | 356.13 KB |
Table of Contents
Enabling an Authentication Method
Configuring the GTK Rekey Method
Displaying and Maintaining WLAN Security
WLAN Security Configuration Examples
PSK Authentication Configuration Example
MAC-and-PSK Authentication Configuration Example
802.1X Authentication Configuration Example
Dynamic WEP Encryption-802.1X Authentication Configuration Example
Supported Combinations for Ciphers
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The radio types supported by the H3C WA series WLAN access points vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, or mesh APs.
This chapter includes these sections:
l WLAN Security Configuration Examples
l Supported Combinations for Ciphers
WLAN Security Configuration
Overview
The wireless security capabilities incorporated in 802.11 are inadequate for protecting networks containing sensitive information. It does a fairly good job of defending against the general public, but there are some good hackers lurking out there who can crack into a wireless networks. As a result, there is a need to implement advanced security mechanisms beyond the capability of 802.11 if we want to protect against unauthorized access to resources on our network.
Authentication Modes
To ensure WLAN security, an AP must authenticate clients. A client can be associated with an AP only when it passes authentication. The following two authentication modes are supported.
l Open system authentication
Open system authentication is the default authentication algorithm. This is the simplest of the available authentication algorithms. Essentially it is a null authentication algorithm. Any client that requests authentication with this algorithm can become authenticated. Open system authentication is not required to be successful because an AP may decline to authenticate the client. Open system authentication involves a two-step authentication process. At the first step, the wireless client sends a request for authentication. At the second step, the AP determines whether the wireless client passes the authentication and returns the result to the client.
Figure 1-1 Open system authentication process
l Shared key authentication
The following figure shows a shared key authentication process. The two parties have the same shared key configured.
1) The client sends an authentication request to the AP.
2) The AP randomly generates a challenge and sends it to the client.
3) The client uses the shared key to encrypt the challenge and sends it to the AP.
4) The AP uses the shared key to encrypt the challenge and compares the result with that received from the client. If they are identical, the client passes the link authentication. If not, the link authentication fails.
Figure 1-2 Shared key authentication process
WLAN Data Security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN devices share the same medium and thus every device can receive data from any other sending device. If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices without the right key cannot read encrypted data.
1) Simple text data
No data packets are encrypted. It is in fact a WLAN service without any security protection.
2) WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP encryption falls into static and dynamic encryption according to how a WEP key is generated.
l Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual key update brings great management workload.
l Dynamic WEP encryption
Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each client is assigned a different WEP key, which can be updated periodically to further improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
3) TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many advantages over WEP, and provides more secure protection for WLAN as follows:
l First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to 48 bits.
l Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a single static key with a base key generated by an authentication server. TKIP dynamic keys cannot be easily deciphered.
l Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain period, the AP automatically takes countermeasures. It will not provide services in a certain period to prevent attacks.
4) CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a dynamic key negotiation and management method, so that each wireless client can dynamically negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.
Client Access Authentication
After a wireless client sets up a wireless link with an AP, the wireless client is considered as having accessed the wireless network. However, for the security and management of the wireless network, the wireless client can access the network resources only after passing subsequent authentication. Among the authentication mechanisms, preshared key (PSK) authentication and 802.1X authentication accompany the dynamic key negotiation and management of the wireless link, and therefore, they are closely related to wireless link negotiation. However, they are not directly related to the wireless link.
1) PSK authentication
Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK authentication, the client and the authenticator must have the same shared key configured.
2) 802.1X authentication
As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of a WLAN access control device can access the resources on the WLAN only after passing authentication.
3) MAC authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses. For this authentication, the user does not need to install any client software. When the device first detects the MAC address of a user, it starts the authentication for the user. During the authentication process, the user does not need to manually input username or password. In WLAN applications, MAC authentication needs to get the MAC addresses of the clients in advance. Therefore, MAC authentication is applicable to small-scaled networks with relatively fixed users, for example, SOHO and small offices.
Protocols and Standards
l IEEE Standard for Information technology— Telecommunications and information exchange between systems— Local and metropolitan area networks— Specific requirements -2004
l WI-FI Protected Access – Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
l Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements—802.11, 1999
l IEEE Standard for Local and metropolitan area networks” Port-Based Network Access Control”802.1X™- 2004
Configuring WLAN Security
To configure WLAN Security on a service template, map the service template to a radio. The SSID name, advertisement setting (beaconing), and encryption settings are configured in the service template. You can configure the SSID to support any combination of WPA, RSN, and non-WPA clients.
|
Task |
Description |
|
Required |
|
|
Optional |
|
|
Optional |
|
|
Required |
|
|
Required |
|
|
Optional |
Enabling an Authentication Method
You can enable both open system authentication and shared key authentication or either of them.
Follow these steps to enable the authentication method:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
Required |
|
Enable an authentication method |
authentication-method { open-system | shared-key } |
Optional Open system authentication method is used by default. l Shared key authentication is usable only when WEP encryption is adopted. In this case, you must configure the authentication-method shared-key command. l For RSN and WPA, shared key authentication is not required and only open system authentication is required. |
Configuring the PTK Lifetime
A pairwise transient key (PTK) is generated through a four-way handshake, during which, the pairwise master key, an AP random value (ANonce), a site random value (SNonce), the AP’s MAC address and the client’s MAC address are used.
Follow these steps to configure the PTK lifetime:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
— |
|
Configure the PTK lifetime |
ptk-lifetime time |
Optional By default, the PTK lifetime is 43200 second |
Configuring the GTK Rekey Method
A fat AP generates a group transient key (GTK) and sends the GTK to a client during the authentication process between an AP and the client through the group key handshake or 4-way handshake. The client uses the GTK to decrypt broadcast and multicast packets. RSN negotiates the GTK through the 4-way handshake or group key handshake, while WPA negotiates the GTK only through group key handshake.
Two GTK rekey methods can be configured:
l Time-based GTK rekey: After the specified interval elapses, GTK rekey occurs.
l Packet-based GTK rekey. After the specified number of packets is sent, GTK rekey occurs.
You can also configure the device to start GTK rekey when a client goes offline, provided that GTK rekey has been enabled with the gtk-rekey enable command.
Configure GTK rekey based on time
Follow these steps to configure GTK Rekey based on time:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template view |
wlan service-template service-template-number crypto |
— |
|
Enable GTK rekey |
gtk-rekey enable |
Required By default, GTK rekey is enabled. |
|
Configure the GTK rekey interval |
gtk-rekey method time-based time |
Required By default, the interval is 86400 seconds. |
|
Configure the device the start GTK rekey when a client goes offline |
gtk-rekey client-offline enable |
Optional By default, GTK rekey is not started when a client goes offline. |
Configure GTK rekey based on packet
Follow these steps to configure GTK rekey based on packet:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template view |
wlan service-template service-template-number crypto |
— |
|
Enable GTK rekey |
gtk-rekey enable |
Required By default, GTK rekey is enabled. |
|
Configure GTK rekey based on packet |
gtk-rekey method packet-based [ packet ] |
Required The default packet number is 10000000. |
|
Start GTK rekey when a client goes offline |
gtk-rekey client-offline enable |
Optional By default, GTK rekey is not started when a client goes offline. |
l By default, time-based GTK rekey is adopted, and the rekey interval is 86400 seconds.
l Configuring a new GTK rekey method overwrites the previous one. For example, if time-based GTK rekey is configured after packet-based GTK rekey is configured, time-based GTK rekey takes effect.
Configuring Security IE
The security IE configuration includes WPA and RSN configuration. For WPA and RSN configuration, open system authentication is required.
Disable 802.1X online user handshake function before starting PTK and GTK negotiation.
Configuring WPA security IE
Wi-Fi Protected Access (WPA) ensures greater protection than WEP. WPA operates in either WPA-PSK (or called Personal) mode or WPA-802.1X (or called Enterprise) mode. In Personal mode, a pre-shared key or pass-phrase is used for authentication. In Enterprise mode, 802.1X and RADIUS servers and the Extensible Authentication Protocol (EAP) are used for authentication.
Follow these steps to configure WPA security IE:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
Required |
|
Enable the WPA security IE |
security-ie wpa |
Required |
Configuring RSN security IE
An RSN is a security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN Information Element (IE) of beacon frames. It provides greater protection than WEP and WPA.
Follow these steps to configure the RSN security IE:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
Required |
|
Enable the RSN security IE |
security-ie rsn |
Required |
Configuring Cipher Suit
Cipher suite is used for data encapsulation and de-capsulation; it uses the following encryptions:
l WEP40/WEP104/WEP128
l TKIP
l CCMP
Configuring WEP
1) Configure static WEP encryption
The WEP encryption mechanism requires that the authenticator and clients on a WLAN have the same key configured. WEP adopts the RC4 algorithm (a stream encryption algorithm), supporting WEP40, WEP104 and WEP128 keys.
WEP can be used with either open system authentication mode or shared key authentication mode:
l In open system authentication mode, a WEP key is used for encryption only. A client can go online without having the same key as the authenticator. But, if the receiver has a different key from the sender, it will discard the packets received from the sender.
l In shared key authentication mode, the WEP key is used for both encryption and authentication. If the key of a client is different from that of the authenticator, the client cannot go online.
Follow these steps to configure static WEP encryption:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
— |
|
Enable the cipher suite |
cipher-suite { wep40 | wep104 | wep128 } |
Required |
|
Configure the WEP default keys |
wep default-key { 1 | 2 | 3 | 4 } { wep40 | wep104 | wep128 } { pass-phrase | raw-key } [ cipher | simple ] key |
Required Not configured by default. |
|
Configure the WEP key ID |
wep key-id { 1 | 2 | 3 | 4 } |
Required The default key ID is 1. |
2) Configure dynamic WEP encryption
Follow these steps to configure dynamic WEP encryption:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template view |
wlan service-template service-template-number crypto |
— |
|
Enable dynamic WEP encryption |
wep mode dynamic |
Required By default, static WEP encryption is adopted. Dynamic WEP encryption must be used together with 802.1X authentication. |
|
Enable the WEP cipher suite |
cipher-suite { wep40 | wep104 | wep128 } |
Optional With dynamic WEP encryption configured, the device automatically uses the WEP 104 cipher suite. To change the encryption method, use the cipher-suite command. |
|
Configure the WEP default key |
wep default-key { 1 | 2 | 3 | 4 } { wep40 | wep104 | wep128 } { pass-phrase | raw-key } key |
Optional No WEP default key is configured by default. If the WEP default key is configured, the WEP default key is used to encrypt multicast frames. If not, the device randomly generates a multicast WEP key. |
|
Specify a key index number |
wep key-id { 1 | 2 | 3 } |
Optional By default, the key index number is 1. For dynamic WEP encryption, the WEP key ID cannot be configured as 4. |
Configuring TKIP
Follow these steps to configure TKIP:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
Required |
|
Enable the TKIP cipher suite |
cipher-suite tkip |
Required |
|
Set TKIP counter measure time |
tkip-cm-time time |
Optional By default, the counter measure time value is 60 seconds. |
Message integrity check (MIC) is used to prevent attackers from data modification. It ensures data security by using the Michael algorithm. When a fault occurs to the MIC, the device will consider that the data has been modified and the system is being attacked. Upon detecting the attack, TKIP will suspend within the countermeasure interval, that is, no TKIP associations can be established within the interval.
Configuring CCMP
CCMP is the most secure data protection mechanism supported by WLAN. It adopts the AES encryption algorithm.
Follow these steps to configure CCMP:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN service template |
wlan service-template service-template-number crypto |
Required |
|
Enable the CCMP cipher suite |
cipher-suite ccmp |
Required |
Configuring Port Security
Port security configuration includes authentication type configuration and the AAA server configuration. The authentication type configuration includes the following options:
l PSK
l 802.1X
l MAC
l PSK and MAC
Before configuring port security, you must:
l Create the WLAN-BSS interface
l Enable port security globally
Configure PSK authentication
Follow these steps to configure PSK authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN-BSS interface view |
interface wlan-bss interface-number |
Required |
|
Enable 11key negotiation |
port-security tx-key-type 11key |
Required Not enabled by default. |
|
Configure the key |
port-security preshared-key { pass-phrase | raw-key } key |
Required Not configured by default. |
|
Enable the PSK port security mode |
port-security port-mode psk |
Required |
Configure 802.1X authentication
Follow these steps to configure 802.1X authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view. |
system-view |
— |
|
Enter WLAN-BSS interface view |
interface wlan-bss interface-number |
Required |
|
Enable 11key negotiation |
port-security tx-key-type 11key |
Required Not enabled by default. |
|
Enable the 802.1X port security mode. |
port-security port-mode userlogin-secure-ext |
Required |
Configure MAC authentication
Follow these steps to configure MAC authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN-BSS interface view |
interface wlan-bss interface-number |
— |
|
Enable MAC port security mode |
port-security port-mode mac-authentication |
Required |
802.11i does not support MAC authentication.
Configure PSK and MAC authentication
Follow these steps to configure PSK and MAC authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter WLAN interface view |
interface wlan-bss interface-number |
— |
|
Enable 11key negotiation |
port-security tx-key-type 11key |
Required Not enabled by default. |
|
Enable the PSK and MAC port security mode. |
port-security port-mode mac-and-psk |
Required |
|
Configure the pre-shared key |
port-security preshared-key { pass-phrase | raw-key } key |
Required The key is a string of 8 to 63 characters, or a 64-digit hex number. |
For more information about port security configuration commands, see Port Security in the Security Configuration Guide.
Displaying and Maintaining WLAN Security
|
To do… |
Use the command… |
Remarks |
|
Display WLAN service template information |
display wlan service-template [ service-template-number ] |
Available in any view |
|
Display MAC authentication information |
display mac-authentication [ interface interface-list ] |
|
|
Display the MAC address information of port security |
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
|
|
Display the PSK user information of port security |
display port-security preshared-key user [ interface interface-type interface-number ] |
|
|
Display the configuration information, running state and statistics of port security |
display port-security [ interface interface-list ] |
|
|
Display 802.1X session information or statistics |
display dot1x [ sessions | statistics ] [ interface interface-list ] |
For more information about related display commands, see Port Security, 802.1X, and MAC Authentication in the Security Command Reference.
WLAN Security Configuration Examples
PSK Authentication Configuration Example
Network requirements
l As shown in Figure 1-3, the AP is connected to the Switch. The PSK key configured on the client side is 12345678. The same PSK key is configured on the AP.
l It is required to perform PSK authentication on the client.
Figure 1-3 Network diagram for PSK authentication configuration
Configuration procedure
1) Configure the AP
# Enable port security.
<AP> system-view
[AP] port-security enable
# Configure the authentication mode as psk, and the pre-shared key as 12345678, and specify the key type as 802.11key.
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] port-security port-mode psk
[AP-WLAN-BSS1] port-security preshared-key pass-phrase simple 12345678
[AP-WLAN-BSS1] port-security tx-key-type 11key
[AP-WLAN-BSS1] quit
# Create crypto-type service template 1, and configure its SSID as psktest..
[AP] wlan service-template 1 crypto
[AP-wlan-st-1] ssid psktest
# Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite.
[AP-wlan-st-1] security-ie rsn
[AP-wlan-st-1] cipher-suite ccmp
# Specify the open-system authentication mode, and enable the service template.
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] service-template enable
# Bind the WLAN-BSS interface to the service template on the radio interface.
[AP] interface wlan-radio1/0/2
[AP-WLAN-Radio1/0/2] radio-type dot11g
[AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1
2) Verify the configuration
l Configure the same PSK on the client. After that, the client can associate with the AP and access the WLAN.
l You can use the display wlan client and display port-security preshared-key user commands to view the online clients.
MAC-and-PSK Authentication Configuration Example
Network Requirements
l As shown in Figure 1-4, a fat AP is connected to a RADIUS server through a Layer 2 switch, and they are in the same network.
l It is required to perform MAC-and-PSK authentication on the client. After passing the authentication, the client uses the pre-configured pre-shared key to negotiate with the AP, and access the WLAN after a successful negotiation.
Figure 1-4 Network diagram for MAC-and-PSK authentication configuration
Configuration procedure
1) Configure the fat AP
# Enable port security.
<AP> system-view
[AP] port-security enable
# Configure the authentication mode as mac-and-psk, and the pre-shared key as 12345678, and specify the key type as 802.11key.
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] port-security port-mode mac-and-psk
[AP-WLAN-BSS1] port-security preshared-key pass-phrase simple 12345678
[AP-WLAN-BSS1] port-security tx-key-type 11key
[AP-WLAN-BSS1] quit
# Create a crypto-type service template, and configure its SSID as mactest.
[AP] wlan service-template 1 crypto
[AP-wlan-st-1] ssid mactest
# Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite.
[AP-wlan-st-1] security-ie rsn
[AP-wlan-st-1] cipher-suite ccmp
# Specify the open-system authentication mode, and enable the service template.
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] service-template enable
# Configure a RADIUS scheme named rad. Configure the IP addresses of both the primary authentication and authorization servers as 10.1.1.88, the shared key of the authentication, authorization, and accounting servers as 12345678, specify the extended RADIUS server type, and configure the scheme to exclude the ISP domain name from the usernames sent to the RADIUS server.
[AP] radius scheme rad
[AP-radius-rad] primary authentication 10.1.1.88
[AP-radius-rad] primary accounting 10.1.1.88
[AP-radius-rad] key authentication 12345678
[AP-radius-rad] key accounting 12345678
[AP-radius-rad] server-type extended
[AP-radius-rad] user-name-format without-domain
[AP-radius-rad] quit
# Configure AAA domain cams by referencing RADIUS authentication/authorization/accounting scheme rad.
[AP] domain cams
[AP-isp-cams] authentication lan-access radius-scheme rad
[AP-isp-cams] authorization lan-access radius-scheme rad
[AP-isp-cams] accounting lan-access radius-scheme rad
[AP-isp-cams] quit
# Configure the MAC authentication domain cams.
[AP] mac-authentication domain cams
# Configure MAC authentication user name format, using MAC addresses without hyphen as username and password (consistent with the format on the server).
[AP] mac-authentication user-name-format mac-address without-hyphen
# Bind the WLAN-BSS interface with the service template.
[AP] interface wlan-radio1/0/2
[AP-WLAN-Radio1/0/2] radio-type dot11g
[AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1
2) Configure the RADIUS server (iMC)
The following takes the iMC (the iMC versions are iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server.
# Add access device.
Log in to the iMC management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 1-5:
l Add 12345678 for Shared Key.
l Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively.
l Select LAN Access Service for Service Type.
l Select H3C for Access Device Type.
l Select or manually add an access device with the IP address 10.18.1.1.
# Add service.
Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the add service page. Then click Add on the page to enter the following configuration page. Set the service name to mac, and the others keep the default values.
Figure 1-6 Add service
# Add account.
Select the User tab, and then select User > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure 1-7.
l Enter a username.
l Add an account and password 00146c8a43ff.
l Select the service mac.
3) Verify the configuration
l After the client passes the MAC-and-PSK authentication, the client can associate with the AP and access the WLAN.
l You can use the display wlan client command, display connection command and display mac-authentication command to view the online clients.
802.1X Authentication Configuration Example
Network requirements
l As shown in Figure 1-8, an AC with IP address 10.18.1.1, an AP and a RADIUS server with IP address 10.18.1.88 are connected through a Layer 2 switch.
l It is required to perform 802.1X authentication on the client.
Figure 1-8 802.1X authentication configuration
Configuration procedure
1) Configure the fat AP
# Enable port security, and set the authentication method of the 802.1X user to eap.
<AP> system-view
[AP] port-security enable
[AP] dot1x authentication-method eap
# Configure a RADIUS scheme name rad. Configure the IP addresses of both the primary authentication and authorization servers as 10.18.1.88, the shared key of the authentication, authorization, and accounting servers as 12345678, and configure the scheme to exclude the ISP domain name from the usernames sent to the RADIUS server.
[AP] radius scheme rad
[AP-radius-rad] primary authentication 10.18.1.88
[AP-radius-rad] primary accounting 10.18.1.88
[AP-radius-rad] key authentication 12345678
[AP-radius-rad] key accounting 12345678
[AP-radius-rad] user-name-format without-domain
[AP-radius-rad] quit
# Configure AAA domain cams by referencing RADIUS authentication/authorization/accounting scheme rad.
[AP] domain cams
[AP-isp-cams] authentication lan-access radius-scheme rad
[AP-isp-cams] authorization lan-access radius-scheme rad
[AP-isp-cams] accounting lan-access radius-scheme rad
[AP-isp-cams] quit
# Configure cams as the default ISP domain.
[AP] domain default enable cams
# Configure port security on interface WLAN-BSS 1: specify the port mode as userlogin-secure-ext, and the key type as 802.11 key.
[AP] interface wlan-bss 1
[AP-WLAN-BSS1] port-security port-mode userlogin-secure-ext
[AP-WLAN-BSS1] port-security tx-key-type 11key
# Disable the multicast trigger function and the online user handshake function.
[AP-WLAN-BSS1] undo dot1x multicast-trigger
[AP-WLAN-BSS1] undo dot1x handshake
[AP-WLAN-BSS1] quit
# Create a crypto-type WLAN service template, configure its SSID as dot1xtest.
[AP] wlan service-template 1 crypto
[AP-wlan-st-1] ssid dot1xtest
# Enable the RSN information element in the beacon and probe response frames, and enable the CCMP cipher suite.
[AP-wlan-st-1] security-ie rsn
[AP-wlan-st-1] cipher-suite ccmp
# Specify the open-system authentication mode, and enable the WLAN service template.
[AP-wlan-st-1] authentication-method open-system
[AP-wlan-st-1] security-ie rsn
[AP-wlan-st-1] service-template enable
[AP-wlan-st-1] quit
# Configure the radio type as 802.11g for radio interface WLAN-Radio 1/0/2, and bind service template 1 to interface WLAN-BSS1 on the radio interface.
[AP] interface wlan-radio1/0/2
[AP-WLAN-Radio1/0/2] radio-type dot11g
[AP-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1
2) Configure the RADIUS server (iMC)
The following takes the iMC (the iMC versions are iMC PLAT 3.20-R2602 and iMC UAM 3.60-E6102) as an example to illustrate the basic configurations of the RADIUS server.
# Add access device.
Log in to the iMC management platform. Select the Service tab, and then select Access Service > Access Device from the navigation tree to enter the access device configuration page. Click Add on the page to enter the configuration page shown in Figure 1-9:
l Add 12345678 for Shared Key.
l Add ports 1812, and 1813 for Authentication Port and Accounting Port respectively.
l Select LAN Access Service for Service Type.
l Select H3C for Access Device Type.
l Select or manually add an access device with the IP address 10.18.1.1.
# Add service.
Select the Service tab, and then select Access Service > Service Configuration from the navigation tree to enter the add service page. Then click Add on the page to enter the configuration page shown in Figure 1-10.
l Set the service name to dot1x.
l Select EAP-PEAP AuthN from the Certificate Type drop-down list, and MS-CHAPV2 AuthN from the Certificate Sub-Type drop-down list.
# Add account.
Select the User tab, and then select Users > All Access Users from the navigation tree to enter the user page. Then, click Add on the page to enter the page shown in Figure 1-11.
l Enter a username.
l Add an account user and password dot1x.
l Select the dot1x option.
3) Configure the wireless card
Double click the 
icon at the bottom
right corner of your desktop. The Wireless Network Connection Status
window appears. Click the Properties button in the General tab.
The Wireless Network Connection Properties window appears. In the Wireless
Networks tab, select wireless network with the SSID dot1x, and then
click Properties. The dot1x Properties window appears. Then, in the Authentication tab, select Protected EAP (PEAP)
from the EAP type drop-down list, and click Properties. In the
popup window, clear Validate server certificate, and click Configure.
In the popup dialog box, clear Automatically use my Windows logon name and
password (and domain if any). The configuration procedure is as shown in Figure 1-12 through Figure 1-14.
Figure 1-12 Configure the wireless card (I)
Figure 1-13 Configure the wireless card (II)
Figure 1-14 Configure the wireless card (III)
4) Verify the configuration.
l The client can pass 802.1X authentication and associate with the AP.
l You can use the display wlan client command, display connection command and display dot1x command to view the online clients.
Dynamic WEP Encryption-802.1X Authentication Configuration Example
Network requirements
l As shown in Figure 1-15, a fat AP with IP address 10.18.1.1 and a RADIUS server with IP address 10.18.1.88 are connected through a Layer 2 switch.
l It is required to perform dynamic WEP encryption.
Figure 1-15 Network diagram for dynamic WEP encryption-802.1X authentication
Configuration procedure
1) Configure the AP
<Sysname> system-view
[Sysname] port-security enable
[Sysname] dot1x authentication-method eap
# Create RADIUS scheme rad, and specify the extended RADIUS server type.
[Sysname] radius scheme rad
[Sysname-radius-rad] primary authentication 10.18.1.88
[Sysname-radius-rad] primary accounting 10.18.1.88
[Sysname-radius-rad] key authentication 12345678
[Sysname-radius-rad] key accounting 12345678
[Sysname-radius-rad] user-name-format without-domain
[Sysname-radius-rad] quit
# Configure AAA domain bbb by referencing RADIUS scheme rad.
[Sysname] domain bbb
[Sysname-isp-bbb] authentication lan-access radius-scheme rad
[Sysname-isp-bbb] authorization lan-access radius-scheme rad
[Sysname-isp-bbb] accounting lan-access radius-scheme rad
[Sysname-isp-bbb] quit
[Sysname] domain default enable bbb
# Configure the WLAN-BSS interface.
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security port-mode userlogin-secure-ext
[Sysname-WLAN-BSS1] port-security tx-key-type 11key
[Sysname-WLAN-BSS1] quit
# Create service template 1 of crypto type, configure its SSID as dot1x, and configure dynamic WEP encryption.
[Sysname] wlan service-template 1 crypto
[Sysname-wlan-st-1] authentication-method open-system
[Sysname-wlan-st-1] ssid dot1x
[Sysname-wlan-st-1] wep mode dynamic
[Sysname-wlan-st-1] service-template enable
[Sysname-wlan-st-1] quit
# Bind the WLAN-BSS interface to service template 1.
[Sysname] interface wlan-radio1/0/2
[Sysname-WLAN-Radio1/0/2] radio-type dot11g
[Sysname-WLAN-Radio1/0/2] service-template 1 interface wlan-bss 1
2) Configure the RADIUS server (iMC)
See Configure the RADIUS server (iMC).
3) Configure the wireless card
See Configure the wireless card.
Configuration verification
l After inputting username user and password dot1x in the popup dialog box, the client can associate with the AP and access the WLAN.
l You can use the display wlan client, display connection, and display dot1x commands to view online client information.
Supported Combinations for Ciphers
This section introduces the combinations that can be used during the cipher suite configuration.
RSN
For RSN, the WLAN-WSEC module supports only CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for RSN. (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
CCMP |
WEP40 |
PSK |
RSN |
|
CCMP |
WEP104 |
PSK |
RSN |
|
CCMP |
WEP128 |
PSK |
RSN |
|
CCMP |
TKIP |
PSK |
RSN |
|
CCMP |
CCMP |
PSK |
RSN |
|
TKIP |
WEP40 |
PSK |
RSN |
|
TKIP |
WEP104 |
PSK |
RSN |
|
TKIP |
WEP128 |
PSK |
RSN |
|
TKIP |
TKIP |
PSK |
RSN |
|
CCMP |
WEP40 |
802.1X |
RSN |
|
CCMP |
WEP104 |
802.1X |
RSN |
|
CCMP |
WEP128 |
802.1X |
RSN |
|
CCMP |
TKIP |
802.1X |
RSN |
|
CCMP |
CCMP |
802.1X |
RSN |
|
TKIP |
WEP40 |
802.1X |
RSN |
|
TKIP |
WEP104 |
802.1X |
RSN |
|
TKIP |
WEP128 |
802.1X |
RSN |
|
TKIP |
TKIP |
802.1X |
RSN |
WPA
For WPA, the WLAN-WSEC module supports the CCMP and TKIP ciphers as the pair wise ciphers and WEP cipher suites will only be used as group cipher suites. Below are the cipher suite combinations that WLAN-WSEC supports for WPA (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
|||
|
CCMP |
WEP40 |
PSK |
WPA |
||||
|
CCMP |
WEP104 |
PSK |
WPA |
||||
|
CCMP |
WEP128 |
PSK |
WPA |
||||
|
CCMP |
TKIP |
PSK |
WPA |
||||
|
CCMP |
CCMP |
PSK |
WPA |
||||
|
TKIP |
WEP40 |
PSK |
WPA |
||||
|
TKIP |
WEP104 |
PSK |
WPA |
||||
|
TKIP |
WEP128 |
PSK |
WPA |
||||
|
TKIP |
TKIP |
PSK |
WPA |
||||
|
CCMP |
WEP40 |
802.1X |
WPA |
||||
|
CCMP |
WEP104 |
802.1X |
WPA |
||||
|
CCMP |
WEP128 |
802.1X |
WPA |
||||
|
CCMP |
TKIP |
802.1X |
WPA |
||||
|
CCMP |
CCMP |
802.1X |
WPA |
||||
|
TKIP |
WEP40 |
802.1X |
WPA |
||||
|
TKIP |
WEP104 |
802.1X |
WPA |
||||
|
TKIP |
WEP128 |
802.1X |
WPA |
||||
|
TKIP |
TKIP |
802.1X |
WPA |
||||
Pre-RSN
For Pre-RSN stations, the WLAN-WSEC module supports only WEP cipher suites. (WEP40, WEP104 and WEP128 are mutually exclusive).
|
Unicast cipher |
Broadcast cipher |
Authentication method |
Security Type |
|
WEP40 |
WEP40 |
Open system |
no Sec Type |
|
WEP104 |
WEP104 |
Open system |
no Sec Type |
|
WEP128 |
WEP128 |
Open system |
no Sec Type |
|
WEP40 |
WEP40 |
Shared key |
no Sec Type |
|
WEP104 |
WEP104 |
Shared key |
no Sec Type |
|
WEP128 |
WEP128 |
Shared key |
no Sec Type |
